How Are Your Passwordz?
By Daniel Balestrieri on Wednesday, March 19th, 2014
You can’t escape passwords — they are required for just about anything that needs to verify your identity. People tend to use the same password for multiple sites, and make them as easy to remember as possible. While this might be more convenient, it can enable someone who gets your password for one site to potentially access all of your accounts across the internet.
Over the past few years, the number of security breaches at large companies has been growing. One of the most treasured things to steal is a customer and/or employee username-and-password list. Once they have that list, criminals can log into those accounts and get credit card numbers, personal information, change passwords and cause grief for the victim. Since people tend to use the same passwords for multiple sites, they can then log into other sites using the same password, thus wreaking further havoc.
As a safeguard against theft, passwords are usually hashed when stored. A hashed password for the word ‘password’ would look something like:
When you create a new password, the system runs it through a hash function to convert it to something that appears random and has a fixed length. It is very easy to transform a password into a hash, but it requires a lot of processing power to convert a hash back to the original password. When you type your password to login, it performs the same hash function and checks if the result matches the hashed password.
How do attackers figure out the original passwords?
They guess! By using password cracking software, attackers can run millions of passwords through the same hash function process seeking a match. The first thing cracking software looks for, are commonly used passwords — and slight variations on them. Using ‘p455w0rd’ is not fooling anyone, as the cracking software will quickly try words like this first.
Never use personal information, like your birthdate, in your password because an attacker trying to get into your account individually may use such information about you. Below is a list of the 25 most commonly used passwords of 2013 according to SplashData. If you use any of these, be proactive about your password security and change your password(s) immediately!
The key to having a strong password is creating a complex password. A complex password can be defined by having at least 8 characters and including at least one uppercase, lowercase, and special character (!,$,% etc). Sometimes, if the password is long enough, the upper/lower/special character requirement is not needed. Since password crackers have to guess various combinations of letters and numbers for the password, the time it takes to crack increases exponentially with longer passwords.
One of the best ways to make long passwords that you can remember is to use a set of random words with a space in between. If, for some reason the site does not allow spaces, use an underscore instead. It will be easy to memorize and it will be more than eight characters long.
Use the xkcd Password Generator to try this method for yourself.
Another solution is to use a password management program like LastPass. Password Managers store all of your website passwords and automatically fill them in for you, so they can be very long and complex and not require you to remember them all. The only password you would have to remember is the password to log into that password management account. Here is a roundup of with more suggestions for password management software and multi-platform use.
- Never use the same password for multiple sites; a security breach at one leaves other accounts vulnerable.
- Passwords should be at least 8 characters long, and should not include common words or personal information such as your name or birthdate.
- Use at least 4 random words for a long, easy-to-remember password.
- Use a password manager like LastPass to keep track of all your accounts without needing to memorize multiple passwords.
If the topic of online security interests you, you might find this Fresh Air interview with Julia Angwin, author of “Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance” an interesting read as well.